Title: Section 404 Audits of Internal Control and Control Risk
1Section 404 Audits of Internal Control and
Control Risk
2Internal Control Objectives
Reliability of financial reporting
Efficiency and effectiveness of operations
Compliance with laws and regulations
3Managements Responsibilities For Internal Control
Management - responsible for establishing and
maintaining internal control
I/C offers reasonable assurance
I/C has inherent limitations
4Managements Responsibilities For Internal Control
Managements Section 404 reporting
responsibilities
- Design of internal control over financial
reporting - Focus is on controls over mgmt. assertions (Ch 6)
- Operating effectiveness of controls
- Must be tested and evaluated for effectiveness
5Auditor Responsibilities Related to Internal
Control
Second standard of fieldwork A sufficient
understanding of internal control is to be
obtained in order to plan the audit and to
determine the nature, timing, and extent
of tests to be performed.
Control over classes of transactions (vs.
account balances)
Auditor responsibilities for testing and
reporting (Ch. 2) on internal control
6Five Components of Internal Control
Control environment
Risk assessment
Information and communication
Control activities
Monitoring
7The Control Environment
Actions, policies and procedures that reflect
overall attitudes of top management (tone from
the top)
- Integrity and ethical values
- Commitment to competence
- Board of directors or audit committee
participation - Managements philosophy and operating style
- Organizational structure
- Assignment of authority and responsibility
- Human resources policies and practices
8Risk Assessment
For audit purposes managements identification
and analysis of risks relevant to the preparation
of financial statements in conformity with GAAP.
9Control Activities
Policies and procedures (in addition to those in
the Other four components)
- Adequate separation of duties
- Proper authorization of transactions and
activities - Adequate documents and records
- Physical control over assets and records
- Independent checks on performance
10Adequate Separation of Duties
11Proper Authorization of Transactions and
Activities
General authorization policies for the
organization to follow.
Specific authorization applies to Individual
transactions
12Adequate Documents and Records
Prenumbered consecutively
Prepared at the time of transaction
Simple enough to ensure understanding
Designed for multiple use
Constructed to encourage correct preparation
13Physical Control over Assetsand Records
The most important measure for safeguarding
assets and records is the use of physical
precautions limit access to assets/records.
14Independent Checks on Performance
The need for independent checks arises because
internal controls tend to change over time unless
there is a mechanism for frequent review.
15Information and Communication
The purpose of an accounting information and
communication system is to
initiate, record, process, and report the
entitys transactions and to maintain accountabili
ty for the related assets.
16Monitoring
Monitoring activities deal with
managements ongoing and periodic assessment of
the quality of internal control performance
to determine whether controls are operating as
intended and modified when needed.
17How the Size of the Business Affects Internal
Control
In general the SEC believes that small businesses
should be expected to adhere to the same internal
control standards that apply to larger public
companies.
The SEC has also stated that the burden
to smaller companies can be disproportionate.
18Four Phases of a Financial Statement Audit
19Obtain and Document Understanding of Internal
Control
SAS 55 and PCAOB Standard 2 both require the
auditor to obtain an understanding of internal
control for every audit.
- Procedures to obtain an understanding
- Design of internal controls
- Whether placed in operation
- Uses this information as a basis for the
- integrated audit.
20Methods Used
Narrative
Flowchart
Internal control questionnaire
21Narrative
1. The origin of every document and record in
the system
2. All processing that takes place
3. The disposition of every document and
record in the system
4. An indication of the controls relevant to
the assessment of control risk
22Evaluating Internal Control Operation
Update and evaluate auditors previous experience
with the entity.
Make inquiries of client personnel.
Examine documents and records.
Observe entity activities and operations.
Perform walkthroughs of the accounting system.
23Assess Control Risk
Assess whether the financial statements are
auditable.
Determine assessed control risk supported by the
understanding obtained assuming the controls are
being followed.
Use of a control risk matrix to assess control
risk
24Control Risk Matrix
Identify transaction-related audit objectives.
Identify existing controls.
Associate controls with transaction-related audit
objectives.
Identify and evaluate control deficiencies, signif
icant deficiencies, and material weaknesses
25Evaluating Significant Control Deficiencies
Material Weakness
26Communicate Internal Control Deficiencies and
Related Matters
- Audit committee communications
- Significant deficiencies and material
- weaknesses must be communicated
Management letters
27Tests of Controls
The procedures to test effectiveness of
controls in support of a reduced assessed
control risk are called tests of controls.
28Procedures for Tests of Controls
1. Make inquiries of client personnel.
2. Examine documents, records, and reports.
3. Observe control-related activities.
4. Reperform client procedures.
29Extent of Procedures
- PCAOB 2 requires public company auditors
- to test controls each year for all relevant
assertions - for all significant accounts and transactions
- Reliance on evidence from prior years audit
- PCAOB 2 is concerned with adequacy of I/C as of
- the end of the fiscal year
- Timing of tests depends on the nature of controls
- and frequency at which they are performed.
30Procedures to Obtain an Understanding vs.Tests
of Controls
In obtaining an understanding, procedures are
applied to all controls to identify those likely
to prevent/detect Material misstatements in
specified assertions. Test of of controls are
applied only when the assessed control risk has
not been done in obtaining an understanding.
Procedures to obtain an understanding are
performed on few transactions, while tests of
controls are performed on larger samples.
31Relationship of Assessed ControlRisk and Extent
of Procedures (Table 10-3)
32Decide Planned Detection Risk and Design
Substantive Tests
The auditor uses the results of the control
risk assessment process and tests of controls
to determine the planned detection risk
and related substantive tests.
The auditor links the control risk assessments to
the balance-related audit objectives.
33Section 404 Reporting on Internal Control
34Section 404 Reporting on Internal Control
2
The auditors opinion on whether the
company maintained, in all material respects,
effective internal control over financial
reporting as of the specified date.
35Types of Opinions on Internal Controls Over
Financial Reporting
- Unqualified
- No identified material weaknesses
- No scope limitations
- Adverse
- Material weaknesses exist
- Qualified or disclaimer of opinion
- Scope limitation
36Differences in Scope of Controls Tested
Nonpublic Company